External Authorization in Tier-1 Gateways

TSB provides authorization capability to authorize every request coming to your service from a public network. This document will describe how to configure Tier-1 Gateway authorization using Open Policy Agent (OPA) as an example.

Before you get started, make sure you:
✓ Familiarize yourself with TSB concepts.
✓ Completed Tier-1 Gateway routing to Tier-2 Gateway with httpbin already configured in TSB.
✓ Created a Tenant, and understand Workspaces and Config Groups.
✓ Configured tctl for your TSB environment.

The following diagram shows the request/response flow using OPA with Tier-1 Gateways. Requests that come to Tier-1 Gateway will be checked by OPA. If the request is deemed unauthorized, then the request will be denied with a 403 (Forbidden) response, otherwise they are sent to the Tier-2 Gateways.

Deploy httpbin Service

Follow the instructions in this document to create the httpbin service, and make sure the service is exposed at httpbin.tetrate.com.

Configuring OPA

For this example you will be deploying OPA as its own standalone service. Create a namespace for the OPA service, if you have not already done so:

kubectl create namespace opa

Follow the instructions in the OPA document to create an OPA policy using Basic Authentication, and deploy the OPA service and agent in the opa namespace.

kubectl apply -f opa.yaml

Then update your Tier-1 Gateway configuration your OpenAPI spec by adding the following section to the Tier-1 Gateway and use tctl to apply them

apiVersion: gateway.tsb.tetrate.io/v2
kind: Tier1Gateway
 organization: tetrate
 tenant: tetrate
 workspace: tier1
 group: tier1
 name: tier1gw
   namespace: tier1
     app: tier1gw
     istio: ingressgateway
 - name: httpbin
   hostname: httpbin.tetrate.com
   port: 443
     mode: SIMPLE
     secretName: tier1-cert
   - labels:
       network: tier2
       uri: grpc://opa.opa.svc.cluster.local:9191


You can test the external authorization by following the instructions in the “Configuring External Authorization in Ingress Gateways”, except you need to obtain the Tier-1 Gateway IP address instead of the Ingress Gateway address.

To obtain the Tier-1 Gateway address, execute the following command:

kubectl -n tier1 get service tier1-gateway \
  -o jsonpath='{.status.loadBalancer.ingress[0].ip}'

Then follow the instructions but replace the value for gateway-ip with the address of the Tier-1 Gateway.